CVE-2026-41607: Apache Thrift: C++ JSON OOB read
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 0.23.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read vulnerability exists in the C++ JSON parsing component of Apache Thrift before version 0.23.0. The flaw is reachable over the network without any authentication, meaning any client that can send JSON-encoded Thrift traffic to the affected service can trigger it. Successful exploitation lets an attacker read memory contents from the process and crash the service, resulting in sensitive data disclosure and a denial of service. A patched-image rebuild at version 0.23.0 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-41607 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle Apache Thrift as a vendored or compiled-in dependency, not only official upstream base images.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.1 (Critical) and applying per-environment compliance policy weighting to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as soon as a match is identified.
AvailableA patched-image rebuild pinned to Apache Thrift 0.23.0 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable parser is exposed over the network; an attacker must be able to send JSON-encoded Thrift traffic to the target service from a remote host.
- AuthenticationNot required
No credentials or session token of any kind are needed to reach the vulnerable code path.
- Victim interactionNot required
The attacker sends a malformed request directly to the service; no user action or social engineering is required.
- Attack complexityDetail
The exploit is reliable and imposes no special preconditions such as race conditions or knowledge of memory layout; a crafted request is sufficient.
Blast Radius
- Reads process memory beyond the intended buffer, which may expose in-flight request data, heap contents, or internal state such as connection credentials or session material.
- Triggers an out-of-bounds read that crashes the affected service, causing a denial of service for all clients depending on that endpoint.
- Any secrets or tokens held in the process address space at the time of the read are at risk of disclosure to the attacker.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image containing Apache Thrift below 0.23.0, including privately built images. Where compliance policy permits, a rebuilt image at the fixed version 0.23.0 is prepared automatically. For customers who opt into auto-remediation, HarborGuard opens a patch PR against every affected workload after completing a regression run against the rebuilt image; for Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage patching manually will find the fix version and affected image list surfaced in their HarborGuard dashboard immediately upon detection.
Fix available
- Apache Software Foundation / Apache Thrift< 0.23.0 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H